As discussed personally, there are valid use cases to generate a key from the browser. e.g. in scenarios with a fresh installation where the javascript in the browser never has access to the private key.

For gpgme-json we implement this for now by using the non restricted socket for keygen. But as this misses the origin messages in the pinentry it would be better if the restriction forbidding the keygen was removed in the gpg-agent.